{"sourceData": "Document Title:\r\n===============\r\nTotemomail v4.x & v5.x - Filter Bypass & Persistent Vulnerability\r\n\r\nProduct & Service Introduction:\r\n===============================\r\ntotemomail\u00ae Encryption Gateway protects your email communication with customers and business partners whereas \r\ntotemomail Internal Encryption secures your internal email traffic. In combination, they become the innovative and potent \r\nhybrid encryption solution totemomail Hybrid Encryption. totemomail Encryption Gateway features a high level of security and \r\nit is easy for end users and administrators alike to use. The everyday user will have no need to think about encryption because \r\nthe software is based on a high level of automation.\r\n \r\n(Copy of the Vendor Homepage: http://www.totemo.com/products/mail/overview/introduction/ )\r\n\r\nTechnical Details & Description:\r\n================================\r\nA persistent input validation web vulnerability and a filter bypass issue has been discovered in the official Totemo Email Gateway v4.0 b1343 and v5.0 b512 appliance series .\r\nThe filter bypass issue allows an attacker to evade the controls of a protection or restriction mechanism to compromise further web module context or service functions.\r\nThe persistent validation vulnerability allows an attacker to inject own malicious script codes on the application-side of the vulnerable web-application module context.\r\n \r\nThe persistent input validation web vulnerability has been discovered in the `Betreff(Subject)` and `Message (Body)` input fields of the `Neue Nachricht (New Message)` module.\r\nThe attacker can inject malicious script codes to the message body or subject input field. After the inject of the non exectuable context is get send to another manager by \r\nsecure mail interaction. After the arrival of the message the receiver clicks to `save as html`. In the moment the encoded mail context is generated as html, the malicious \r\ninjected tag is getting visible as executable context. The injection point of the vulnerability are the `subject` and `message body` input fields and the execution point \r\noccurs in the moment the target manager generated the message as html to review or print.\r\n \r\nThe regular filter mechanism and validation does not allow to inject for example iframes and basic script code tags like script, iframe, div to the web input forms. As far as \r\nan payload is included to for example the subject as listing the validation parses and encodes the string and show only the first two characters. We figured out that is possible \r\nto bypass by usage of `img` script code tags with onload alert. The encoding of the input needs to be restricted permanently against special char inputs, the validation procedure \r\nneeds to parse and encode the input without extending the entry with a null location entry.\r\n \r\nVulnerable Module(s):\r\n [+] Posteingang - Nachricht\r\n \r\nVulnerable Input(s):\r\n [+] Subject (Betreff)\r\n [+] Message Body (Nachricht)\r\n \r\nAffected Module(s):\r\n [+] Message Index (main.jsp)\r\n [+] Save as Html (Als HTML Speichern)\r\n \r\n \r\nProof of Concept (PoC):\r\n=======================\r\nThe vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n \r\n1.1\r\nManual steps to reproduce the vulnerability ...\r\n1. Open a new message\r\n2. Include any random demo text first\r\n3. Include now at least in the message body the script code payloads\r\n4. Scroll above back to the subject and include the same payload to the subject input field\r\n5. Save the entry as draft\r\n6. You can now already see that the service attached to the script code another alt value\r\nNote: \"><img src=\"x\" alt=\"null\"> \"><\"<img src=\"x\" alt=\"null\">%20%20> ...\r\n7. Now you send the message directly to a manager for reply\r\n8. The manager received the message and treid to review it as html\r\n9. The execution occurs in the subject and the message body of the html file\r\nNote: The html file is wrong encoded and does not parse the values again next to generating the html source file\r\n10. Successful reproduce of the filter bypass issue and persistent vulnerability!\r\n \r\n \r\nPoC: Filter Bypass\r\n\"><\"<img src=\"x\">%20%20>\"<iframe src=a>%20<iframe>\r\n\"><img src=x onerror=prompt(23);>\r\n>\"<<img src=\"c\" onerror=alert(1)>\r\n \r\n \r\nSolution - Fix & Patch:\r\n=======================\r\nThe vulnerability can be patched by a secure filter and parse of img onload alert script code tags that actually can bypass the filter validation of the Betreff input fields.\r\nAfter that encode and parse the print function that stream the context in html format were the execution point occurs finally.\r\nRestrict the input finally and disallow usage of special chars in the subject input field to prevent persistent script code injection attacks.\r\nIn the second step a secure validation of the pgp key filename (email|preeshare) and input is required to secure encode the vulnerable email and name value of the certificate file.\r\nRe-encode the editor text values to no get obviously broken format context back like demonstrated in the picture.\r\n \r\nFix (temp): Do not open email via save as function in html to prevent exploitation of the issue.\r\n \r\nTotemo AG: The vulnerability is already patched in the newst version of the appliance web-application to protect customers.\r\nThe update can be processed automatically or by manual interaction with the web-service.\n\n# 0day.today [2016-04-27] #", "reporter": "bot", "cvelist": [], "edition": 1, "title": "Totemomail 4.x and 5.x - Persistent XSS Vulnerability", "references": [], "href": "http://0day.today/exploit/description/25250", "history": [], "published": "2016-04-26T00:00:00", "type": "zdt", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "hash": "f5fd0f700a9d84814a2bbb19df0c14dea08eaa1460a060907281f07986a30fc8", "lastseen": "2016-04-27T09:31:24", "sourceHref": "http://0day.today/exploit/25250", "modified": "2016-04-26T00:00:00", "description": "Exploit for jsp platform in category web applications", "bulletinFamily": "exploit", "id": "1337DAY-ID-25250"}